Protecting the client against Authorization Code injection
This recipe talks about a security flaw that is extremely easy to mitigate, but unfortunately, there are many companies that still do not pay attention to this problem. That's about Cross-Site Request Forgery (CSRF) attacks, which allow anybody to inject a forged authorization code to compromise the Resource Owner's resources. This recipe shows the importance of state parameters when using the Authorization Code grant type (although it's also important when using the Implicit grant type).
Getting ready
To run this recipe, you will need Java 8, Maven, Spring Web, and Spring Security. If you want to run the examples to explore how to simulate an attack, you have to install Firefox and the NoRedirect add-on. To ease the project creation step, use Spring Initializr at http://start.spring.io/.
How to do it...
This recipe creates the project oauth2-provider-statefor OAuth Provider and client-state for the client application. Both applications...
